However, government departments are not being advised to move to a rival browser as there is no evidence it would make a difference to security, a Cabinet Office spokesperson said on Tuesday.

"Complex software will always have vulnerabilities and motivated adversaries will always work to discover and take advantage of them," the spokesperson told ZDNet UK. "There is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure. Regular software patching and updating will help defend against the latest threats."

Microsoft said on Wednesday that it will issue an out-of-cycle patch for the browser vulnerability, but did not give a timeframe. The company has acknowledged that exploit code for the flaw is circulating publicly, but said the attack targets IE6. It has urged people to upgrade to IE8, which has higher protections.

A series of parliamentary questions by MP Tom Watson in 2009 established the extent of IE use in central government. The Department for Work and Pensions (DWP), the Department of Health (DoH) and the Department for Business, Innovation and Skills (BIS) are among the government departments that use IE6 on all desktop and laptop computers. The Home Office is in the process of upgrading from IE6 to IE7.

On Tuesday, the DWP said it is aware of the browser flaw but plans no changes to its use of IE6. "The department, along with our suppliers, is monitoring the situation and will continue to do so," a spokesperson for the DWP said. "Our existing defences are robust, and we do not intend to issue any special instructions to staff at this stage."

The Ministry of Justice (MoJ), which uses IE7 in its upper echelons, is in part relying on its restriction of admin rights to protect its systems.

"We are aware of the Microsoft Security Bulletin which describes this vulnerability and how to address it," a ministry spokesperson said. "MoJ networks are configured to prevent such vulnerabilities being exploited. In addition, the vulnerability is most easily exploited by users with administrative privileges. MoJ users do not have such privileges."

However, security experts questioned the government's approach. Given the situation, civil servants should not use the browser on the internet, according to Chris Wysopal, chief technology officer for security company Veracode.

"There is no question that governments are under the same type of spear-phishing attacks Google was attacked with," said Wysopal. "IE6 should absolutely not be used by government employees to browse non-government websites. Exploits are public, and [the flaw] is being actively exploited."

Ross Anderson, professor of security engineering at Cambridge University, said the government should encourage the use of other browser software by its departments. He pointed out that citizens often had no choice but to use IE on public-sector websites. "The whole thing's a complete mess," said Anderson. "Many government websites won't interact with Firefox or alternatives — you have to use Microsoft if you want to interact with the government."

If the government did urge its departments to switch to a browser such as Firefox or Chrome, that sudden change could cause support problems within government departments, pointed out Graham Cluley, a senior technology consultant at security firm Sophos.

However, the government should at least tell its employees to upgrade their IE software, he said. "There are concerns these hacking attacks are being sponsored by the Chinese," said Cluley. "It would make sense to run up-to-date browser versions to mitigate espionage concerns."

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.